International Association of Privacy Professionals (IAPP) | March.24.2020
Keily Blair and James Lloyd, partners in our Cyber & Data Privacy Enforcement & Litigation Practice in London, recently spoke with IAPP about the rise in civil litigation claims across the EU following the enactment of the EU General Data Protection Regulation (GDPR) and the U.K. Data Protection Act of 2018.
The GDPR enables plaintiffs to sue for compensation based on the damage suffered in a data breach. Lawyers say there has been a significant increase in cases brought alleging this has occurred, often as a "follow-on" to data protection authorities' investigations.
“What we’re seeing now on the ground in the U.K. is, I would say, about five years behind the American market," said Keily, who heads our cyber and privacy litigation and enforcement team in London. "The interesting thing in the U.K. is we’re seeing an emergence of group actions in this space either through group litigation orders — which are opt-in class litigations, essentially — but also the possibility of opt-out actions or representative actions."
According to Keily, such actions are relatively new in the U.K. because it has been reticent to let class actions take hold "for fear it would open the floodgates." But changes to the U.K.'s Civil Procedure Rule made space for such claims.
"Folks have been trying to use group actions for about a decade now, if not more," James said, noting, "The difficulty has been identifying the class. The courts have always struggled to figure out where certain claimants have had a specific loss. Everyone is alleging ‘distress,’ now there is a push to try and rely on misuse of data and user damages, which means that the differences fall away.”
You can read Keily and James’ full comments on the IAPP site.